<?php
/***
* @version $Id: common.php 336 2007-01-23 08:12:56Z flexiondotorg $
* @copyright (c) 2006 - 2007 Flexion.Org
*            (c) 2006 - 2007 damnian < damnian at phpbb dot cc > (Dmitry Shechtman) http://www.phpbb.cc
*            (c) 2006              kkroo < princeomz2004@hotmail.com > (Omar Ramadan) http://phpbb-login.sourceforge.net
*            (c) 2006              Afterlife_69 < afterlife_69@hotmail.com > (Dean Newman) http://www.ugboards.com
*            (c) 2005 - 2006 Ptirhiik (Pierre) http://ptifo.clanmckeen.com
*            (c) 2005 - 2006 Prent < prent@milkohol.net >
*            (c) 2004 - 2005 Project Minerva
*            (c) 2001 - 2006 phpBB Group
* @license   http://opensource.org/licenses/gpl-license.php GNU Public License
***/

if (!defined('IN_R3BORN'))
{
	die('Hacking attempt');
}

// This means that common.php was already included
if (defined('R3BORN_INSTALLED'))
{
	return;
}

### R3-born - ADD (Page Generation)
#
list($usec, $sec) = explode(" ", microtime());
$starttime= ((float)$usec + (float)$sec);

$base_memory_usage = 0;
if (function_exists('memory_get_usage'))
{
	$base_memory_usage = memory_get_usage();
}
#
### R3-born - END ADD

### R3-born - ADD (Intrusion Protection)
#
$url_denied = array(
   '/bin', '/usr', '/etc', '/boot', '/dev', '/perl', '/initrd', '/lost+found', '/mnt', '/proc', '/root', '/sbin', '/cgi-bin', '/tmp', '/var',
   'ps%20', 'wget%20', 'uname%20-a', '/chgrp', 'chgrp%20', '/chown', 'chown%20', '/chmod', 'chmod%20', 'md%20', 'mdir', 'rm%20', 'rmdir%20', 'mv%20', 'tftp%20', 'ftp%20', 'telnet%20', 'ls%20',
   'gcc%20-o', 'cc%20', 'cpp%20', 'g++%20', 'python%20', 'tclsh8%20', 'nasm%20', 'perl%20', 'traceroute%20', 'nc%20', 'nmap%20', '%20-display%20', 'lsof%20',
   '.conf', '.htgroup', '.htpasswd', '.htaccess', '.history', '.bash_history',
   '/rksh', '/bash', '/zsh', '/csh', '/tcsh', '/rsh', '/ksh', '/icat', 'document.domain(',
   '/....', '..../', 'cat%20', '/*%0a.pl',
   '/server-status', 'chunked', '/mod_gzip_status',
   'cmdd=', 'path=http://', 'exec', 'passthru', 'cmd', 'fopen', 'exit', 'fwrite',
   '<script', '/script>', '<?', '?>', 'javascript&#058;//', 'img src=',
   'root_path=', 'mvModule_root_path=', 'sql=', 'delete%20', '%20delete', 'drop%20', '%20drop', 'insert into', 'select%20', '%20select', 'union%20', '%20union', 'union(',
   'chr%20', 'chr(', 'http_', '_http', 'php_', '_php', '_global', 'global_', 'global[', '_globals', 'globals_', 'globals[', '_server', 'server_', 'server[',
   '$_request', '$_get', '$request', '$get',
);

$url_request = preg_replace('/([\s]+)/', '%20', strtolower($_SERVER['QUERY_STRING']));
$url_checked = preg_replace('/[\n\r]/', '', str_replace($url_denied, '', $url_request));

if ( $url_request != $url_checked )
{
	$ips_log = './cache/R3-born_IPS.log';

	// Attempt to write out the IPS log data.
	if ($fp = @fopen($ips_log, 'a'))
	{
		// Define the contents of IPS log entry in Combined Log format
		// http://httpd.apache.org/docs/1.3/logs.html#combined
		$attacker_ip 	= ( !empty($_SERVER['REMOTE_ADDR']) ) ? $_SERVER['REMOTE_ADDR'] : ( ( !empty($_ENV['REMOTE_ADDR']) ) ? $_ENV['REMOTE_ADDR'] : getenv('REMOTE_ADDR') );
		$attacker_ident = '-';
		$attacker_user = ( !empty($_SERVER['PHP_AUTH_USER']) ) ? $_SERVER['PHP_AUTH_USER'] : '-';

		$attacker_time 	= date('[d/M/Y:H:i:s O]');
		$attacker_query = '"' . $_SERVER['REQUEST_METHOD'] . ' ' . $_SERVER['REQUEST_URI'] . ' ' . $_SERVER['SERVER_PROTOCOL'] . '"';

		$attacker_referer = ( !empty($_SERVER['HTTP_REFERER']) ) ? $_SERVER['HTTP_REFERER'] : ( ( !empty($_ENV['HTTP_REFERER']) ) ? $_ENV['HTTP_REFERER'] : getenv('HTTP_REFERER') );
		$attacker_referer = '"' . $attacker_referer . '"';

		$attacker_agent = ( !empty($_SERVER['HTTP_USER_AGENT']) ) ? $_SERVER['HTTP_USER_AGENT'] : ( ( !empty($_ENV['HTTP_USER_AGENT']) ) ? $_ENV['HTTP_USER_AGENT'] : getenv('HTTP_USER_AGENT') );
		$attacker_agent = '"' . $attacker_agent . '"';

		$ips_data = $attacker_ip . ' ' . $attacker_ident . ' ' . $attacker_user . ' ' . $attacker_time . ' ' . $attacker_query . ' 400 - ' . $attacker_referer . ' ' . $attacker_agent . "\n";

		@fwrite($fp, $ips_data);
	}
	@fclose($fp);

      // Begin Attempt-Counter
      $varnum = 0;
      $countername = "./cache/counter.txt";
      $count_value1 = @file_get_contents($countername);

      $count_value1++;

      $fp = fopen ('./cache/counter.txt', 'a');
      ftruncate($fp, '0');
      $counterstring = $count_value1;
      fwrite ($fp, $counterstring);
      fclose ($fp);
      // End Attempt-Counter

   	die('Hacking attempt! <br /><br /><b>Attempt Logged and Blocked</b><br />');

}
#
### R3-born - END ADD

// This will NOT report uninitialized variables
error_reporting(E_ERROR | E_WARNING | E_PARSE);

/*
* Remove variables created by register_globals from the global scope
* Thanks to Matt Kavanagh
*/
function deregister_globals()
{
	$not_unset = array(
		'GLOBALS' => true,
		'_GET' => true,
		'_POST' => true,
		'_COOKIE' => true,
		'_REQUEST' => true,
		'_SERVER' => true,
		'_SESSION' => true,
		'_ENV' => true,
		'_FILES' => true,
		'phpEx' => true,
		'root_path' => true,
		'mvModule_root_path' => true
	);

	// Not only will array_merge and array_keys give a warning if
	// a parameter is not an array, array_merge will actually fail.
	// So we check if _SESSION has been initialised.
	if (!isset($_SESSION) || !is_array($_SESSION))
	{
		$_SESSION = array();
	}

	// Merge all into one extremely huge array; unset
	// this later
	$input = array_merge(
		array_keys($_GET),
		array_keys($_POST),
		array_keys($_COOKIE),
		array_keys($_SERVER),
		array_keys($_SESSION),
		array_keys($_ENV),
		array_keys($_FILES)
	);

	foreach ($input as $varname)
	{
		if (isset($not_unset[$varname]))
		{
			// Hacking attempt. No point in continuing.
			die('Hacking attempt');
		}
		unset($GLOBALS[$varname]);
	}
	unset($input);
}

function array_addslashes(&$array)
{
	foreach ($array as $k => $v)
	{
		if ( is_array($array[$k]))
		{
			array_addslashes($array[$k]);
		}
		else
		{
			$array[$k] = addslashes($v);
		}
	}
}

// If we are not on PHP >= 6.0.0 we do not need to run some code
if (!version_compare(phpversion(), '6.0.0-dev', '>='))
{
	set_magic_quotes_runtime(0);

	// Be paranoid with passed vars
	if (@ini_get('register_globals') == '1' || strtolower(@ini_get('register_globals')) == 'on')
	{
		deregister_globals();
	}
}

if (!get_magic_quotes_gpc())
{
	// None of these are conditionaly set.
	/*
	array_addslashes($HTTP_GET_VARS);
	array_addslashes($HTTP_POST_VARS);
	array_addslashes($HTTP_COOKIE_VARS);
	*/

	array_addslashes($_GET);
	array_addslashes($_POST);
	array_addslashes($_COOKIE);
	array_addslashes($_REQUEST);
}

//
// Define some basic configuration arrays this also prevents
// malicious rewriting of language and other array values via
// URI params
//
$config = array();
$color_groups = array();
$userdata = array();
$theme = array();
$images = array();
$lang = array();
$bread_crumbs = array();
$dss_seeded = false;

$mvModules = array();
$mvPages = array();
$mvLayouts = array();
$mvModuleTemplates = array();
$mvCSS = array();

$bot_style = array();
$bot_name = array();
$bot_ip = array();
$bot_agent = array();

include($root_path . 'config.'.$phpEx);

if( !defined('R3BORN_INSTALLED') )
{
	header('Location: ' . $root_path . 'install/install.' . $phpEx);
	exit;
}

require($root_path . 'includes/constants.'.$phpEx);
require($root_path . 'includes/class_template.'.$phpEx);
require($root_path . 'includes/functions_sessions.'.$phpEx);
require($root_path . 'includes/functions.'.$phpEx);
require($root_path . 'includes/functions_modules.'.$phpEx);
require($root_path . 'includes/class_hooks.' . $phpEx);
require($root_path . 'includes/db/' . $dbms . '.' . $phpEx);

add_crumb(append_sid('index.'.$phpEx), $lang['Home']);

// Make the database connection.
$db = new sql_db($dbhost, $dbuser, $dbpasswd, $dbname, false);
if(!$db->db_connect_id)
{
	message_die(CRITICAL_ERROR, 'Could not connect to the database');
}

// We do not need this any longer, unset for safety purposes
unset($dbpasswd);

//
// Obtain and encode users IP
//
// I'm removing HTTP_X_FORWARDED_FOR ... this may well cause other problems such as
// private range IP's appearing instead of the guilty routable IP
//
$client_ip = ( !empty($_SERVER['REMOTE_ADDR']) ) ? $_SERVER['REMOTE_ADDR'] : ( ( !empty($_ENV['REMOTE_ADDR']) ) ? $_ENV['REMOTE_ADDR'] : getenv('REMOTE_ADDR') );
$user_ip = encode_ip($client_ip);

$config = obtain_config();
$color_groups = obtain_color_groups();

//Register the core page ids
register_page_id('PAGE_INDEX', 'index.' .$phpEx, 'Home', true);
register_page_id('PAGE_SEARCH', 'search.' .$phpEx, 'Search', true);
register_page_id('PAGE_LOGIN', 'login.' .$phpEx, 'Login', true);
register_page_id('PAGE_PROFILE', 'profile.' .$phpEx, 'Profile', true);
register_page_id('PAGE_REGISTER', 'register.' .$phpEx, 'Register', true);
register_page_id('PAGE_HELP', 'help.' .$phpEx, 'Help', true);
register_page_id('PAGE_GROUPCP', 'groupcp.' .$phpEx, 'Usergroups', true);
register_page_id('PAGE_POLICY', 'policy.' .$phpEx, 'Policy', true);

### R3-born - ADD (Module Engine)
#
$mvReqModuleName = get_var('module', '');
initModules();
#
### R3-born - END ADD

if (file_exists('install'))
{
	message_die(GENERAL_MESSAGE, 'Please_remove_install');
}

?>